The Active Directory Migration Tool

On March 2000, Microsoft released the Active Directory Migration Tool (ADMT—you'll find it at http://www.microsoft.com/windows2000/library/ planning/activedirectory/admt.asp). Third-party migration tools are richer in features, but ADMT is free and is a must for anyone trying to design an Active Directory (AD) structure. The tool is only about a 2.5MB download, which you can obtain quickly—even if you don't have access to a Digital Subscriber Line (DSL) or cable modem.

AD is a pretty good offering, but it requires you to do a lot of designing and planning. And you'd better implement your plan right the first time because undoing things in AD is difficult—I often liken AD to a pencil without an eraser.

Now, ADMT serves as AD's eraser. ADMT mainly moves user accounts and similar information en masse from an existing Windows 2000 or Windows NT 4.0 domain into an existing Win2K domain. Being able to move accounts and related information from one domain to another is the key to domain consolidation.

The World Before ADMT
Suppose you have two NT 4.0 domains—FIRST and SECOND—that contain several thousand users (not to mention machine accounts), and some higher-up tells you to combine those two domains into one larger domain named ALLFOLKS. You'd have to recreate the FIRST and SECOND user accounts in ALLFOLKS. Now and then, you'd find that FIRST contained a user account whose name also appeared in SECOND, resulting in a collision. If both domains contain a johnsmith, one of those users will have to become johnsmith01 or some other variation.

How would you recreate all those user accounts? You could type them in one at a time or use a command-line tool such as the Adduser utility in the Microsoft Windows NT 4.0 Resource Kit. But Adduser isn't good at handling name collisions. Suppose further that ALLFOLKS is a Win2K domain, and you want to put all of the FIRST users in one organizational unit (OU) and the SECOND folks in another OU. Adduser won't help with that task either, but ADMT will.

A Timesaver
If you have ADMT, you can use it to copy the user accounts from the source domains (FIRST and SECOND) to the target domain (ALLFOLKS). To transfer the accounts, you first install ADMT. The Help file says you should install ADMT only on a Win2K domain controller in the target domain. However, I've successfully migrated user accounts while running ADMT on a Win2K Pro machine in the target domain. One restriction you must abide by, however, is that the target domain must be a native-mode Win2K domain.

Next, you'll need administrative powers in both the target and source domains. But ADMT is pickier than older cross-domain tools are. For example, if you used Netdom to move machine accounts from FIRST to ALLFOLKS, you could log on to an ALLFOLKS machine as an ALLFOLKS administrator. Then, to establish that you're simultaneously a FIRST administrator, you could execute a Net Use command to some resource on a FIRST domain controller.